Top gaming engine Godot hijacked to infect thousands of PCs with malware

LovabledanielsNovember 28, 202487 Views

Security researchers from Check Point Research discover new malware loader written in Godot’s programming language
Godot is a popular open source game development platform
At least 17,000 devices were infected with infostealers and cryptojackers so far

Hackers are abusing a popular gaming engine to infect people’s computers with malware used to steal private data and cryptocurrency.

Researchers from Check Point Research have detailed a previously undetected hacking technique targeting users of the Godot Gaming Engine, an open source game development platform used to build both 2D and 3D games across Windows, macOS, Linux, Android, iOS, HTML5, and others, with a community of more than 2,700 developers.

Check Point says since late June 2024, crooks have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts, which were hosting a piece of malware called GodLoader.

Infostealers and cryptojackers

In typical malware loader fashion, GodLoader would drop different malware to the infected devices, with the researchers spotting mostly RedLine stealer, and XMRig, a popular cryptojacker.

RedLine is an infamous infostealer capable of grabbing passwords, crypto wallet details, and other data stored in browsers, sensitive data, session cookies, and more. XMRig turns the infected device into a cryptocurrency miner, generating tokens for the attacker (while rendering the computer useless for pretty much anything else).

GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.

Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.

Since GodLoader is yet to be flagged by most antivirus programs, it is essential to remain vigilant at this time, and careful when dealing with Godot-related content.